Privacy Policy

Playlist → Crate Digger (the "Service"). Last updated 23 May 2026.

Who we are

The Service is operated by Camp Pickleback, LLC ("we", "us"). Contact: social@camppickleback.com.

What the Service does

Playlist → Crate Digger lets you log in with your Spotify account, browse your playlists, and view each track alongside search links to third-party music stores (Beatport, Traxsource, Juno) so you can find tracks to purchase.

Data we access from Spotify

When you log in with Spotify and grant the requested permissions (playlist-read-private, playlist-read-collaborative), we read the following from the Spotify Web API on your behalf:

• Your Spotify display name, user ID, profile image URL, and public profile URL (from /v1/me) — used to display your avatar in the page header.
• The metadata of playlists you own or follow (name, owner, cover image, track count) (from /v1/me/playlists) — used to render the playlist picker.
• The metadata of tracks in a playlist you select (track name, artist name(s), ISRC) (from /v1/playlists/{id}/tracks) — used to construct store search URLs.

Data we do not collect

• No analytics, tracking pixels, or third-party advertising.
• No server-side database. We do not retain your data on our servers.
• No payment information. The Service is free.

Where data is stored

All Spotify data fetched by the Service stays in your browser memory while you use the page. We use browser storage for authentication only:

• sessionStorage: short-lived access token, token expiry timestamp, and OAuth state parameter. Cleared when you close the browser tab.
• localStorage: long-lived refresh token. Cleared when you click Logout, clear site data, or revoke app access in your Spotify account.

We do not set HTTP cookies.

How tokens are exchanged

To complete the Spotify OAuth flow, your browser sends the authorization code returned by Spotify to a serverless function we host on Cloudflare Pages. That function attaches our application's client secret (which never leaves the server) and forwards the exchange request to Spotify's token endpoint. The resulting access and refresh tokens are returned to your browser and stored as described above. We do not log, persist, or share these tokens.

Third parties

• Spotify: the source of all music data. Your interaction with Spotify is governed by Spotify's own privacy policy.
• Cloudflare: hosts the site and the serverless functions. Standard request logs may be retained by Cloudflare per their privacy policy.
• Music stores (Beatport, Traxsource, Juno): when you click a search link, you leave the Service and arrive at the third-party store. Their privacy practices govern your interaction with them.

Your choices

• Click Logout in the app to clear all locally stored tokens.
• Revoke the application's access at any time in your Spotify Account: spotify.com/account/apps.
• Clear your browser's site data for this domain to remove all locally stored information.

Children

The Service is not directed to children under 13 and we do not knowingly collect data from them.

Changes

We may update this policy. The "Last updated" date above reflects the current version.

Contact

Questions: social@camppickleback.com.